ghsa-hjh8-9gxh-cx4x
Vulnerability from github
Published
2023-05-16 18:30
Modified
2023-05-17 03:35
Severity
Summary
Jenkins CAS Plugin Session Fixation vulnerability
Details
Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the existing session on login.
This allows attackers to use social engineering techniques to gain administrator access to Jenkins.
CAS Plugin 1.6.3 invalidates the existing session on login.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:cas-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-32997"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-17T03:35:52Z",
"nvd_published_at": "2023-05-16T17:15:12Z",
"severity": "HIGH"
},
"details": "Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the existing session on login.\n\nThis allows attackers to use social engineering techniques to gain administrator access to Jenkins.\n\nCAS Plugin 1.6.3 invalidates the existing session on login.",
"id": "GHSA-hjh8-9gxh-cx4x",
"modified": "2023-05-17T03:35:52Z",
"published": "2023-05-16T18:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32997"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/cas-plugin/commit/3a33cc0175bcc18801faf9125afb38d495b5995f"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3000"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Jenkins CAS Plugin Session Fixation vulnerability"
}
Loading...